To be clear, by "blocked" Flash we really mean enforced click-to-activate. User choice is always a #1 priority at Mozilla.
We regularly block vulnerable plugins. What made this block different was that we did it before Adobe made an update available. Now that Adobe has released an update, it is no longer true that every version of Flash Player is blocked in Firefox.
However, we're glad to see the conversation this has sparked. Personally I align with Alex Stamos regarding Flash, in the thinking that a formal EOL would be great.
I'd also like to use this space to make a shameless plug for Shumway, a project set on building a faithful an efficient renderer for the SWF file format without native code assistance. Ending Flash doesn't need to mean an end for Flash media. http://www.areweflashyet.com/shumway/
Technology should be replaced by better technology. To give you some background: I've written games for all kinds of platforms: PocketPC, Windows Mobile, (Desktop) Windows, Linux, OS X, Flash (AS3), HipTop, J2ME devices and some smaller proprietary devices.
Some of those platforms offer write once, run everywhere. On other platforms every device has it's own quirks and you have to test on every device and implement workarounds.
You might not like Flash, but it is great at running on every platform/browser with the same code base. If you test it on one platform, it runs on all others. (Adobe is also very good at keeping it backwards compatible)
Now, I ask you, what's the alternative for Flash? Does HTML5 offer write once, runs the same on every platform/browser(version!)? No it doesn't, and it never will. Even simple HTML pages are full of browser checking hacks.
Now, if you can offer a programming platform where the games I develop on, run exactly the same on every browser, on every platform, I have no problem killing Flash. But let's be honest here, only plugins can guarantee such a thing.
As to Alex Stamos, the top games on Facebook are all Flash. You know why? Because developers don't have to worry whether or not those games will run inside the users browser. Because once Flash is installed, they will run without issues. HTML5? No such guarantee.
So before you declare EOL, please have a proper alternative, where I don't have to pull my hair and cry all night because browser X on platform Y version Z seems to break the end boss of level 5 in my game because its implementation slightly differs from all the rest.
While I do understand where you are coming from - it can be more convenient to target a single implementation - the fact is that Flash has not been what you describe, for a while now. Flash officially announced it would no longer support Linux, and Flash is not usable in most mobile browsers either, for example.
Even plugins can't really get you what you want here. Yes, HTML5 has limitations, as you described, but plugins aren't the solution. HTML5 is closer, and moving in the right direction at least.
Flash isn't part of the Web. It's not vendor neutral.
If Adobe decides to deprioritise a platform that mean the users of that platform with experience less support in terms of bug fixes, performance and security. If Adobe decides not to support a platform period that means users of that platform are left without a means to access Flash content.
If you are a user this is unacceptable. More importantly these things have already happened.
Hi, while I got your point and mostly I agree with you, I just have a question.
Now when WebGL is widely adopted why you can create your games using that technology? Or even compile your C/C++ games with asm.js. I saw very nice demos in the past.
For simple 2D games (like most of the Flash games), I saw very nice Flash-friendly libraries like Phaser[0] (based on Pixi.js).
Do you have any interest an organizing an effort, along with Facebook's Alex Stamos and other folks, to plan a formal EOL for Flash? Of course, the steps Mozilla and others have taken help, but perhaps a more organized movement could get other thought and market leaders on board, trigger higher rates of HTML5 adoption and foster the bits of remaining innovation that are needed to fully replace Flash on the web.
Also, does Firefox plan to address the concerns brought up about Hello, and, more importantly, Pocket?
I was advocating for this yesterday in /r/sysadmin and this morning it was a pleasant surprise to hear that this actually happened. I imagine you're getting all sorts of complaints from advertisers and others, but its the right move. The web is simply dangerous and having an unaccountable closed source binary happily running anything served to it is just crazy.
I'd love it if you kept it like this and implemented a flash whitelist function. Flash needs to be treated like Java: its legacy tech that should be used only via whitelisting. Google is too embedded into the marketing and advertising world to ever consider doing this in Chrome. Its really up to you guys, per usual, to save the web.
Oh please don't remove pocket, this is one of the awesome feature of Firefox along with Tree Style Tab (and if it was just me I would add Tree Style Tab by default as well)
(And of course I go against the public opinion here on HN, but I wonder how many people did actually use Pocket before trashing it?)
Just out of curiosity, how will removing Pocket integration and Hello (a thin UI over WebRTC) personally? Both are lazy-loaded, so the only bloat they add is "visual bloat". This behavior is seriously disappointing from the Firefox community.
I've been using Pocket since it was Read It Later and I was pleased to see it integrated into the browser. Mozilla is working on a Reader mode[0] but it does not seem to be ready for public consumption yet (despite landing in 2012). Most people don't even know it exists, and it obviously does not save it for later (unless you bookmark it). The implementation is open-source (MPL license), although Pocket itself is proprietary. Hotword detection is not absolutely necessary for browser functionality, yet I hear no chorus of complaints from Chrome users. Should Mozilla be prohibited from partnering with proprietary third-parties whether or not it benefits their users?
Hello is even less of an argument. Firefox Hello is a simple Javascript UI for the existing WebRTC spec supported by Firefox, Chrome, and Opera[1]. It allows people to communicate without having to set up accounts, sign-in somewhere, and works against the platform lock-in of proprietary services such as Facetime, Hangouts, and Skype. If it's disabled by default, the service becomes useless. My parents shouldn't have to enable it about:config for me to talk to them, nor should they have to download another plugin to use a technology built-in to the browser. I understand the security implications[2] in IP leakage[3], but I don't see a simple fix that doesn't neuter the functionality (although this comes close[4]). W3C has stated their position on fingerprinting[5], but at least Mozilla is actively working on the issue.
I noticed this behavior when I fired up an older Mac I hadn't used in a year or so, it was refreshing that Flash always required click-to-activate, and I made this the setting on all my machines a while back and started suggesting to my friends to.
Some websites' video don't work as well, they have JS or CSS that interfere, or assume that you don't have flash installed, or retaliate as if you are an ad blocker, so I'm glad to see this is becoming more widespread, those problems may be fixed.
Is Shumway a possible replacement for Scratch 2's flash implementation? They seem to think that there are some flash things that just can't be done without flash:
Unimplementable Features on iOS: Image effects for whirl, fisheye,
mosaic, and pixelate. Sound and video input for loudness, video
motion, and touching colors from the video.
The next time this happens can you please disable it entirely?
The things on my site (video, some ads) that use flash will fall back nicely to HTML5 is Flash is disabled, as will most of the web. Click to activate is the worst of both worlds.
That's completely technically meaningless without EOLing NPAPI, and Google's currently the only people brave enough to do that. Firefox's EME implementation is strictly less of a threat to your privacy than the current status quo, by design.
NPAPI has its own privacy and security and stability reasons to meet a swift doom, even independent of the DRM question.
"To prevent these add-ons from running, click Restart Firefox."
Why doesn't the dialog box have that same explanation? Did you (mozilla) think the two button options "Restart Later" and "Restart Firefox" won't confuse people?
I second this! Tree Style Tab is one of the few addons that I cannot live without. Heck, it is one of the reasons why Firefox is my primary browser.
This feature should be made native and the original developer should be rewarded somehow for his efforts.
One slightly annoying thing i found right now is that if i have a plugin set as disabled in about:addons, it will not show up on the update checker found in the top link.
The (unprivileged) Plugin Check website can't detect disabled plugins because they don't show up in navigator.plugins. Ideally, Plugin Check should be an automatic check built into Firefox. The advantage of the Plugin Check website is that it works in any browser.
I don't know that it's particularly faster than what can/could be accomplished with svg + JavaScript ...
I think most of the speed as a plugin vs native html/svg/js is that you don't have the whole DOM to deal with (including reflows, etc), and that their ActionScript is a much smaller subset of a language than JS in the browser, AS3 changed things a bit though. Today with canvas and an audio api that mostly works, you can get the same.
What I really wish is that Adobe would create Flash-level tooling with outputs for HTML/canvas/js/web-audio and video.
actionscript (the flash programming language) is pretty much the same as javascript, the main reason why flash is often a lot faster than html+js things in a browser is it is not constrained to a slow, broken DOM for building uis.
For what it's worth, the shumway racing AS3 demo appeared to work but froze all input like closing or switching tabs for me and I had to kill it with task manager. Windows 8.1, Firefox 39.0.
Why isn't Mozilla spending more time to ensure Firefox is using all of the security resources that the OS gives it? Things like ASLR still aren't enabled by default, let alone plugin sandboxing like what exists in Chrome. While Shumway would be nice, having a reliable, secure way to hook into native code would be a lot nicer.
Job done. No more Mozilla annoyances between me and the content I wish to access. And yes, it was an annoyance because the link to "check for updates" in your message would not get me anywhere. That was a flaw in your strategy that I now suspect was deliberate. I really can't respect engineered annoyances that align with agendas rather than good UX.
I like Flash when it's done well. Raw performance and efficiency is one of the things I like about it. The powerful multimedia handling of everything from audio to video cannot be matched by HTML5. I'm an HTML/CSS/JS dev for my living for 20 years, that's how I know this to be true.
HTML5 video is cute. But it doesn't cut the mustard in all circumstances.
360 video, VR, and many other things will come along that are too much for web technologies to handle. Flash serves a useful purpose in allowing websites to cater to the most demanding cutting edge tech and content without needing the Firefoxes and Chromes of the world to keep up.
"closed source"; "battery drain"; "plugins are just bad".... oh cry me a river.
Holy shit. Flash has over 34 CVEs in one week—and only because a prominent organization that was sitting on a bunch of them got hacked—and you call mozilla taking steps to protect the security and integrity of their customers an "engineered annoyance"?
Bugs are always bad (and security bugs even more so) - but I've always felt that Flash gets a disproportional amount of hate/hype in the media. To some degree it should be normal that the more widespread a technology is - the more it gets targeted for security exploits.
If you run the popular browsers/plugins against the National Vulnerability Database, you'd get the following results (as of January 2014):
- Internet Explorer 366 total vulnerability issues (314 high severity)
- Google Chrome 235 total vulnerability issues (154 high severity)
- Adobe Flash 207 total vulnerability issues (169 high severity)
- Mozilla Firefox 190 total vulnerability issues (86 high severity)
- Oracle Java 161 total vulnerability issues (69 high severity)
I have a lot of experience of end users and they are forever telling me that they get so many different "Update this", "Update that" windows that they can no longer distinguish real from fake. Some of them have been tricked by fake web site pop-ups as a result, others ignore legitimate update messages. I do not blame them.
Internet Explorer and Google Chrome get updated in a way that most end users find to be simple to understand, particularly with Chrome. Firefox is also quite good in this regard. All of them are reliable - it is rare, IME, to come across a Windows Update, Firefox or Chrome instance which is silently failing to update. Or not even bothering to prompt to update.
Flash, however often I install it, just doesn't seem to auto-update reliably. Quite often it only does so after a user log on/reboot, which doesn't happen much in the days of standby. Even on brand new, fresh Windows installs (so we know the OS/Flash isn't broken), I test Flash from time to time and it just doesn't prompt to update at all on some occasions. This is what makes Adobe's poor track record exponentially worse - that their software update mechanism is crap at best.
I was gobsmacked when Microsoft declared they were going to start updating Flash via Windows Update. Gobsmacked and so very relieved. It felt like they'd walked into Adobe's office, grabbed their fire extinguishers and told them "You are so useless that when there's a fire, WE will come and put it out, since you don't seem able to. We are sick of our offices getting burned down because of your idle incompetence."
I won't even address Oracle's Java. Bundling malware with their updater is tantamount to crime.
That's the real reason they don't want a auto-update. Google pays them a lot for bundling Chrome(I think it's around $1 per install). They keep breaking the auto-update on purpose so that they can make a ton of money by bundling other software. Same with Java updates.
Yes! I admin my parents' computers and after trying to explain which 'update' windows are genuine, I realised that there just isn't a good way to tell them apart.
Silent auto-updates are really the right way to go for non-techies. Even the post-upgrade 'announcement' popups are confusing. For instance, I've installed Ghostery on their computers and the 'ghostery has been updated' popup is just confusing for them, leading to confusion and phone calls to me.
Flash also doesn't seem to auto-update for them, despite me setting it up. I don't understand it either, as they turn off & on the machine regularly. Why can't Adobe get this right?
Flash also comes with McAffee (or some other bundleware). I wouldn't be surprised if the reason why they haven't made a proper auto-updater is because of that. That they'd miss out on those miniscule profits they get from that.
I have had multiple non-technical friends, in one case on a fresh install I'd done myself, run into the Flash update window simply showing a gray background that never does anything.
The best solution for this, from Adobe's own forum? Find the corporate-deployment version, download that (ignoring the messages that say it isn't what you want) and run it. This works flawlessly, but even less automatically.
Both the Flash and Java updates almost feel like "Pay Attention To Me!" Just like all those discount cards that exist in part so you carry around a fetish with the corporate logo.
I have a lot of experience of end users and they are
forever telling me that they get so many different "Update
this", "Update that" windows that they can no longer
distinguish real from fake. Some of them have been tricked
by fake web site pop-ups as a result, others ignore
legitimate update messages. I do not blame them.
One solution to this is to use AdBlock Plus. When a site permits adverts that threaten a computer's security, it is time to add it to the blocklist.
Remote code execution exploits were found in Firefox at least once per month during the first half of 2015. The only reason we didn't hear about these cataclysmic exploits is because it wasn't Flash.
Hackers search for remote code execution exploits in Flash first and foremost because they know a successful Flash exploit will reach the highest number of targets (90% or more on the desktop) whereas only 44% of desktop machines are running Chrome and 15% are running Firefox.
Hackers seeking out and exploiting RCE bugs in Firefox is unheard of for the same reason malware targeting Macs has been virtually unheard of over the past decade: It's not that OS X is more secure; it's simply that Windows is a more lucrative target.
Mozilla seems to take anywhere from 1 to 3 months to fix these severe bugs. Adobe takes days.
Source for this complete and utter FUD? Certainly not the links you gave:
Jan 11, 2015: Originally reported to Mozilla as a low-severity DoS, which turned out to be already patched in trunk
Jan 13, 2015: Firefox 35.0 shipped with patch
It's hard to get dates out of the others because the bugs are still hidden, but the "fixed in" is often a security fix update after a release, which means it can't possibly have been > 6 weeks.
> If you run the popular browsers/plugins against the National Vulnerability Database...
That's misusing statistics, you can't determine how secure something is by just summing up the number of vulnerabilities - equally weighing/comparing browsers with a plugin etc.
By the way, Apple's opinion on Flash in 2010:
Third, there’s reliability, security and performance.
Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.
So Flash is second in terms of number of high severity bugs and first in terms of the percentage of bugs that are high severity, only being beaten by Internet Explorer. By your evidence the hate for Flash is quite justifiable.
Flash bugs are more important because the are crossbrowser. I will still use Flash though on older computers, because it needs less resources for video.
Yes but Flash vulnerabilities are incremental vulnerabilities.
So just counting high severity vulnerabilities, the chart is
IE: 314. IE with Flash: 483.
Chrome: 154: Chrome with Flash: 323.
Firefox: 86. Firefox with Flash: 255.
And of course, you can add a third column for Java and a fourth column for browser with Flash and Java.
I have no idea what their bugs-per-line-of-code are, perhaps they have the finest code on the planet. But from a surface area perspective, installing Flash makes you more vulnerable, period. And it really is not necessary, whereas it’s not like you can browse the web in pure Flash and not install a browser.
>But from a surface area perspective, installing Flash makes you more vulnerable, period.
So does turning on Javascript. Yet the popular opinion these days is that disabling Javascript makes you a luddite. Mozilla even hid the option for it in Firefox.
Yes, but Flash alone doubles the attack vector of a browser - that's nothing to be sneezed at. I think it's particularly poignant when you look at the high severity metric.
I am not sure the attack vector argument is 100% valid here, as flash replacement technologies constantly add attack vectors to modern browsers, too. Many traditional Flash features are now covered by webGL accelerated browser functionality, like accelerated 2D canvas elements. My guess would be that this browser-gpu bridge creates a whole zoo of GPU driver related security issues which attackers might focus on once flash is completely obsolete. (My money is on a remote code execution vulnerability in the Firefox Adobe DRM module.)
Turing-complete machine running untrusted code is a nightmare for security. There always be bugs and exploits, it's just a matter of time and effort to find them.
JavaScript enabled by default is already bad enough. We don't need Flash, Java, ActiveX or anything similar turned on by default. So it's a good move from security viewpoint. Less attack surface.
They do get more bad press than perhaps others should. There is already a perception about Flash that it is not a great product, which feeds into this. Reasons are varied.
- Performance has not been good on Macs (my 2007 Macbook Pro literally burned my legs when running anything flashy)
- Flash updates mechanism seems a little spammy.
- Long-term perception of Adobe as a maker of a somewhat buggy, somewhat bloated software
- Steve Jobs' public denigration
- Backlash against proprietary standards being used on the web
The best thing about click to play Flash is it puts a stop to autoplay videos on the less reputable sites I occasionally and shamefully glance at for sports news.
I don't think the hate comes from bugs or exploits.
I think people hate flash because it is laggy, slow, make things move in your screen you don't want, widely use for ads or to shit on the user experience, etc.
Granted most of it might be bad programming, but I still think he comes from here rather than exploits.
In general, plugins are supposed to improve a product by adding or enhancing existing features. Flash however enables websites to break out of the HTML, CSS and JS environments and their security constraints, which should mean that flash have a larger responsibility regarding security. If Flash lived under the constraints of the browser own security, then flash bugs would barely register as news worthy.
Another point that hasn't been raised yet: Flash is a much smaller software than a browser, how come it has more bugs ? It certainly speaks for it's internal code quality.
Cost/benefit seems higher for Flash/Java than browsers. You really need a browser, but you don't really need a [fancy thing that can't be done in JS]. As another commenter said, it doubles your attack surface and for little benefit.
Flash game enthusiasts would probably disagree, but most of us can probably do without it given the risk.
As an enthusiast for a handful of flash games, it is increasingly tempting to make a VM just for running them. Even then, with all the progress in Javascript, it's questionable whether I should bother.
Hey, thanks for the headsup. We had an old component that we used as a fallback for certain kinds of videos that was always active. It was a legacy component that just got forgotten. I removed the Flash fallback about half an hour ago, so this shouldn't be showing up anymore.
They seem to use it for clipboard access, some repository links have a button that puts the URI in you clipboard automatically. I'm not sure if there is anything else they are using it for.
The final act of HTML5 delusion - it becomes "ready" because we say it's "ready". It's just someone forgot to ask Flash (game) developers' opinion. Not that it matters, right?
You really think the opinion of game developers should matter in a discussion about how to make browsers reasonably secure for people to use without getting their hosts compromised? Because I don't.
Anger towards browser developers or HTML5 is misplaced; you should be angry with Adobe for the fact that Flash is buggy, insecure, and closed-source.
It's 2015 and it has been clear for at least 5 years that Flash was going to die eventually. If you still haven't migrated away or - worse - are still developing new apps in Flash, it's your own fault.
And since when you have to please everybody ? Flash developers are a minority, and they have no power to influence the market.
The sooner Adobe abandons the dead horse, the better for all of us. Kevin has gone away for years now, and Adobe's force is not based on Flash anymore (disclaimer: I own Adobe stock)
I did the "click to activate" option for flash in firefox. I like it. (Safari and chrome can do this too). This way if flash is activated when really needed.
I feel your pain. The university site I'm working on has flash protein visualizations. We're finally moving visualizations to js. We'll get there, but with flash being kinda turned off, users will have to turn it back on manually or our pages won't work till rid of flash.
God will Flash just die already. Firefox is my primary browser and I run it without Flash. On the very odd occasion I need it I have IE in protected mode which has Flash built in. If a site does use Flash I will seek an alternative though as I hate it that much.
On a side note Firefox without Flash is so much smoother. IMHO it is the fastest and most stable browser when it doesn't have Flash bogging it down.
5 to 7 years ago I would have said the same thing, I hated Flash with a passion. But now, when it's almost gone for good, I see that it had its reasons. For example the new Google Street View is many times slower and lags so much as to give me motion sickness (when it's not blocking my browser) compared to the previous version, which was Flash-based, and which used to work like a charm.
The new Google Maps is also dramatically slower, laggier, and buggier than the old version which was a regular web app built to work on browsers from 2005.
I think the terribleness of recent Google web front-ends (not only Maps and Street View but also Search, Mail, Groups, Gplus, etc.) is mostly a product of incompetent management process internal to Google, rather than an indictment of web technology generally.
Flash should still have its legitimation as an authoring tool. I think the direct approach in which you can throw together a scene or an animation has its value. The tools you use influence design decisions. Of course, technology wise, we should be happy without it. But if you always start a project with coding first, it limits your thinking. I fancy all the nice webgl demos and data visualizations, but they mostly lack a meaningful human perspective. Authoring tools like Flash and Director did provide a different feedback loop, not a data point of view but a narrative one.
Unfortunately Flash still fills a couple gaps in browser support: live video streaming and adaptive bit rate streaming (live or recorded).
I posted a similar comment about it the other day: [0]
Personally I would like to see HTTP Live Streaming (HLS) [1] implemented in the all the browsers, it's a nice lightweight protocol and would be the path of least resistance since it's already used heavily in the mobile space.
Agreed. I was looking into this streaming/live video issue as well and there really is no cross platform method of doing this without having a Flash fallback.
For everything else however (like pre-recorded video, games via WebGL), Flash should be phased out.
> On a side note Firefox without Flash is so much smoother. IMHO it is the fastest and most stable browser when it doesn't have Flash bogging it down.
That is primarily because of the flash ads being dumped. An ad/flash/js blocker achieves much the same and then some by further reducing the latency to collect everything needed to render.
Tidal and Deezer are others which require flash. Both have desktop apps, however.. Tidal's desktop app is awful and laggy to the extent I prefer using the web interface; Deezer's Windows app lacks some features compared to the web player.
Mozilla performance dev here: Our data backs this up. 4 out of 10 of our top most frequent janks are due to Flash initialization. I'm working to make that all work asynchronously until the time comes when we can kill NPAPI altogether.
Will someone actually go ahead and implement the required features in the browsers? Last I checked there is still no cross-platform way to do video publishing without flash. The option we now all have is multiple platform specific implementations.
I find "Click to Play" makes for a better browsing experience, and think this is a fine move for Firefox.
Interestingly, Google Chrome recently moved in the opposite direction, and removed support for having Flash off by default and activating with a single click. Instead, they consider Flash to be "important plug-in content". While they allow you to have it off by default, rather than "click to play", they now require that you right click then pull down to "run this plugin" each time you want to activate: https://productforums.google.com/forum/#!topic/chrome/xPcpRB...
I presume this is because they want to discourage people from having Flash off by default, since this would mean they would miss too many Flash ads. I took this as an opportunity to try out some different browsers, and found that Opera met my needs slightly better than Firefox. If you are looking for an alternative to Firefox or Chrome, or just want to see what's out there, you might want to check it out too: http://www.opera.com/
ps. As an example of the new Google interface strategy, to show all the responses on the Google Chrome Help Forum link above rather than being forced to click on each one, you can press the 'o' key some random number of times until they appear: https://productforums.google.com/forum/#!topic/gec-answers-f...
I've seen this argument, but don't believe that removing the option for click-to-play improves security. I'd could believe this theory if the default was simulataneously changed to have Flash default to off, but as it is, the result is that more users will choose to keep the default where Flash always on. Surely automatic activation is even less secure than a potentially hijackable click-to-play?
I've been click to play on Firefox for a long time now. Faster, less annoying ads (I am okay with nonannoying ads; they help pay for the site), and sites rarely need flash anyway. I think only Gmail and github (for click to copy) need it
I uninstalled Flash a few days ago, because I didn't want to deal with the updates anymore. Since Flash was unbundled from Mac OS X it has become a pain to update. I simply don't understand why I need to go to the Adobe site to get the updates.
Flash isn't super relevant anymore anyway, the main thing it's used for on my computer is Flash tracking cookies, and I can do without those. I do wonder how some of the tracking and retargeting companies will deal with the decline of Flash though. We asked a partner to stop using Flash for tracking, their response was that it's the best way to doing user tracking. Hopefully they'll change their mind soon.
The update process is horrendous. Redirect to Adobe's website, follow a 3-step 'wizard' - where Step 2 is a placebo 10-second loading bar saying it is "initialising" - and Step 3 is an advertisement for installing other crap from Adobe.
After all that you have to download a DMG, close all your applications and reinstall from scratch. Why not just build in an auto-update in the background and be done with it...
On Windoze, I always go to google for "flash player distribution3" and install the MSI packages for enterprise deployment. That keeps me from the malware bundle.
On the Mac, it's easy, I use Chrome as my Flash jail. I use Safari all the time and the few times I need Flash I fire up Chrome and it's there. Don't have to worry about Flash hacks or Chrome battery drainage.
The only other place where I've found that flash is relevant is in auto-play videos, so now with flash installed but disabled is basically removing the auto-play 'feature', which is really neat.
Unfortunately in this case avoiding the problem won't make it go away.
Many old sites will stop working (my first site was done in flash) as well as many games that are still heavily played today by millions of people. Also flash IDE provides a good introduction to programming for self-taught kids these days: many of them still do their first code in flash after clicking on "that strange icon next to photoshop".
Overall this is a good example of prolonged trusting a binary blob. IMO we will always tend to do what is more comfortable and we should strive for openness and transparency in the tools that most people rely for everyday.
The problem persists as long as there are people installing the plugin or "enabling" it.
We need a real open-source alternative to flash player.
> We need a real open-source alternative to flash player.
We quietly built the alternative to Flash over the last 10 years. It's called the web.
A standard document in the web browser can play audio, video, display vector graphics, utilise OpenGL, supports direct drawing via Canvas, and it is deeply scriptable with a mature, open programming language.
I need all of those things to look exactly the same in each and every browser, instead of corrupted icons or broken navigation because the developer tested it in Chrome for Windows but neglected, say, Iceweasel for Debian.
I have yet to find a non-flash game capable of doing that. And if the alternative is "we should discard this closed binary that works in every platform in favor of this free-but-browser-dependant stack", I find that odd.
The age old test of any platform is the ability to run games, and HTML5 just isn't there when put next to Flash or native apps. And I'm not talking the bleeding edge stuff, but simple things like getting sound to work between browsers (a task that Flash did very well). Although to be fair the gatekeepers of browsers are Apple and Google who want you to pay the app store tax.
When i wanted to start programming one of the things I tried was flash. I absolutely couldn't figure out what the fuck was going on even with tutorials, it's garbage.
That's strange, I found Flash programming very accessible. There's a huge amount of good learning material out there, and plenty of shortcuts and components you can use to do quite complex things.
Flash components were really interesting, and made it easier for non-programmers, or designers to manipulate a user-friendly "API" of sorts within Flash. This was very powerful. Hugely underrated and conventionality forgotten by the Flash-haters.
Readit News
To be clear, by "blocked" Flash we really mean enforced click-to-activate. User choice is always a #1 priority at Mozilla.
We regularly block vulnerable plugins. What made this block different was that we did it before Adobe made an update available. Now that Adobe has released an update, it is no longer true that every version of Flash Player is blocked in Firefox.
However, we're glad to see the conversation this has sparked. Personally I align with Alex Stamos regarding Flash, in the thinking that a formal EOL would be great.
I'd also like to use this space to make a shameless plug for Shumway, a project set on building a faithful an efficient renderer for the SWF file format without native code assistance. Ending Flash doesn't need to mean an end for Flash media. http://www.areweflashyet.com/shumway/
Edit: typo
Technology should be replaced by better technology. To give you some background: I've written games for all kinds of platforms: PocketPC, Windows Mobile, (Desktop) Windows, Linux, OS X, Flash (AS3), HipTop, J2ME devices and some smaller proprietary devices.
Some of those platforms offer write once, run everywhere. On other platforms every device has it's own quirks and you have to test on every device and implement workarounds.
You might not like Flash, but it is great at running on every platform/browser with the same code base. If you test it on one platform, it runs on all others. (Adobe is also very good at keeping it backwards compatible)
Now, I ask you, what's the alternative for Flash? Does HTML5 offer write once, runs the same on every platform/browser(version!)? No it doesn't, and it never will. Even simple HTML pages are full of browser checking hacks.
Now, if you can offer a programming platform where the games I develop on, run exactly the same on every browser, on every platform, I have no problem killing Flash. But let's be honest here, only plugins can guarantee such a thing.
As to Alex Stamos, the top games on Facebook are all Flash. You know why? Because developers don't have to worry whether or not those games will run inside the users browser. Because once Flash is installed, they will run without issues. HTML5? No such guarantee.
So before you declare EOL, please have a proper alternative, where I don't have to pull my hair and cry all night because browser X on platform Y version Z seems to break the end boss of level 5 in my game because its implementation slightly differs from all the rest.
Even plugins can't really get you what you want here. Yes, HTML5 has limitations, as you described, but plugins aren't the solution. HTML5 is closer, and moving in the right direction at least.
If Adobe decides to deprioritise a platform that mean the users of that platform with experience less support in terms of bug fixes, performance and security. If Adobe decides not to support a platform period that means users of that platform are left without a means to access Flash content.
If you are a user this is unacceptable. More importantly these things have already happened.
Now when WebGL is widely adopted why you can create your games using that technology? Or even compile your C/C++ games with asm.js. I saw very nice demos in the past.
For simple 2D games (like most of the Flash games), I saw very nice Flash-friendly libraries like Phaser[0] (based on Pixi.js).
[0] - https://phaser.io/examples
Deleted Comment
Unfortunately, that alternative is Java applets.
Do you have any interest an organizing an effort, along with Facebook's Alex Stamos and other folks, to plan a formal EOL for Flash? Of course, the steps Mozilla and others have taken help, but perhaps a more organized movement could get other thought and market leaders on board, trigger higher rates of HTML5 adoption and foster the bits of remaining innovation that are needed to fully replace Flash on the web.
Also, does Firefox plan to address the concerns brought up about Hello, and, more importantly, Pocket?
Deleted Comment
I'd love it if you kept it like this and implemented a flash whitelist function. Flash needs to be treated like Java: its legacy tech that should be used only via whitelisting. Google is too embedded into the marketing and advertising world to ever consider doing this in Chrome. Its really up to you guys, per usual, to save the web.
Unless you want to remove WebRTC and that's just stupid.
(And of course I go against the public opinion here on HN, but I wonder how many people did actually use Pocket before trashing it?)
2) Click "Customize"
3) Drag pocket and / or hello from the tool bar into "Additional tools and features"
4) Take a breather, phew that wasn't too hard was it?
https://support.mozilla.org/en-US/kb/customize-firefox-contr...
I've been using Pocket since it was Read It Later and I was pleased to see it integrated into the browser. Mozilla is working on a Reader mode[0] but it does not seem to be ready for public consumption yet (despite landing in 2012). Most people don't even know it exists, and it obviously does not save it for later (unless you bookmark it). The implementation is open-source (MPL license), although Pocket itself is proprietary. Hotword detection is not absolutely necessary for browser functionality, yet I hear no chorus of complaints from Chrome users. Should Mozilla be prohibited from partnering with proprietary third-parties whether or not it benefits their users?
Hello is even less of an argument. Firefox Hello is a simple Javascript UI for the existing WebRTC spec supported by Firefox, Chrome, and Opera[1]. It allows people to communicate without having to set up accounts, sign-in somewhere, and works against the platform lock-in of proprietary services such as Facetime, Hangouts, and Skype. If it's disabled by default, the service becomes useless. My parents shouldn't have to enable it about:config for me to talk to them, nor should they have to download another plugin to use a technology built-in to the browser. I understand the security implications[2] in IP leakage[3], but I don't see a simple fix that doesn't neuter the functionality (although this comes close[4]). W3C has stated their position on fingerprinting[5], but at least Mozilla is actively working on the issue.
0: http://www.ghacks.net/2015/02/07/mozilla-starts-to-push-read...
1: https://support.mozilla.org/en-US/kb/which-browsers-will-wor...
2: https://twitter.com/incloud/status/619624021123010560
3: https://bugzilla.mozilla.org/show_bug.cgi?id=959893
4: https://addons.mozilla.org/en-US/firefox/addon/statutory/
5: https://github.com/w3ctag/spec-reviews/blob/master/2015/05/f...
Some websites' video don't work as well, they have JS or CSS that interfere, or assume that you don't have flash installed, or retaliate as if you are an ad blocker, so I'm glad to see this is becoming more widespread, those problems may be fixed.
I really like Scratch, but it's a pity that it's implemented on a platform so many people think should no longer exist.
(Assuming you can get the pixel data; but getting the pixel data from HTML content is actually a security nightmare…)
The things on my site (video, some ads) that use flash will fall back nicely to HTML5 is Flash is disabled, as will most of the web. Click to activate is the worst of both worlds.
NPAPI has its own privacy and security and stability reasons to meet a swift doom, even independent of the DRM question.
Deleted Comment
"To prevent these add-ons from running, click Restart Firefox."
Why doesn't the dialog box have that same explanation? Did you (mozilla) think the two button options "Restart Later" and "Restart Firefox" won't confuse people?
For the record, I'm more than fine with that. In fact, I've used extensions to get that effect for years.
I think most of the speed as a plugin vs native html/svg/js is that you don't have the whole DOM to deal with (including reflows, etc), and that their ActionScript is a much smaller subset of a language than JS in the browser, AS3 changed things a bit though. Today with canvas and an audio api that mostly works, you can get the same.
What I really wish is that Adobe would create Flash-level tooling with outputs for HTML/canvas/js/web-audio and video.
Deleted Comment
Flash is never blocked for me in Firefox and never will be. Because a few months back I did this:
1. about:config 2. extensions.blocklist.enabled - 'false'
Job done. No more Mozilla annoyances between me and the content I wish to access. And yes, it was an annoyance because the link to "check for updates" in your message would not get me anywhere. That was a flaw in your strategy that I now suspect was deliberate. I really can't respect engineered annoyances that align with agendas rather than good UX.
I like Flash when it's done well. Raw performance and efficiency is one of the things I like about it. The powerful multimedia handling of everything from audio to video cannot be matched by HTML5. I'm an HTML/CSS/JS dev for my living for 20 years, that's how I know this to be true.
HTML5 video is cute. But it doesn't cut the mustard in all circumstances.
360 video, VR, and many other things will come along that are too much for web technologies to handle. Flash serves a useful purpose in allowing websites to cater to the most demanding cutting edge tech and content without needing the Firefoxes and Chromes of the world to keep up.
"closed source"; "battery drain"; "plugins are just bad".... oh cry me a river.
My comment has reached EOL.
Grow up.
This is some comedy gold.
Congratulations, you just left yourself open to malware masquerading as addons.
Deleted Comment
If you run the popular browsers/plugins against the National Vulnerability Database, you'd get the following results (as of January 2014):
[source] https://nvd.nist.gov/Internet Explorer and Google Chrome get updated in a way that most end users find to be simple to understand, particularly with Chrome. Firefox is also quite good in this regard. All of them are reliable - it is rare, IME, to come across a Windows Update, Firefox or Chrome instance which is silently failing to update. Or not even bothering to prompt to update.
Flash, however often I install it, just doesn't seem to auto-update reliably. Quite often it only does so after a user log on/reboot, which doesn't happen much in the days of standby. Even on brand new, fresh Windows installs (so we know the OS/Flash isn't broken), I test Flash from time to time and it just doesn't prompt to update at all on some occasions. This is what makes Adobe's poor track record exponentially worse - that their software update mechanism is crap at best.
I was gobsmacked when Microsoft declared they were going to start updating Flash via Windows Update. Gobsmacked and so very relieved. It felt like they'd walked into Adobe's office, grabbed their fire extinguishers and told them "You are so useless that when there's a fire, WE will come and put it out, since you don't seem able to. We are sick of our offices getting burned down because of your idle incompetence."
I won't even address Oracle's Java. Bundling malware with their updater is tantamount to crime.
That's the real reason they don't want a auto-update. Google pays them a lot for bundling Chrome(I think it's around $1 per install). They keep breaking the auto-update on purpose so that they can make a ton of money by bundling other software. Same with Java updates.
Silent auto-updates are really the right way to go for non-techies. Even the post-upgrade 'announcement' popups are confusing. For instance, I've installed Ghostery on their computers and the 'ghostery has been updated' popup is just confusing for them, leading to confusion and phone calls to me.
Flash also doesn't seem to auto-update for them, despite me setting it up. I don't understand it either, as they turn off & on the machine regularly. Why can't Adobe get this right?
The best solution for this, from Adobe's own forum? Find the corporate-deployment version, download that (ignoring the messages that say it isn't what you want) and run it. This works flawlessly, but even less automatically.
Both the Flash and Java updates almost feel like "Pay Attention To Me!" Just like all those discount cards that exist in part so you carry around a fetish with the corporate logo.
January 20, 2015: https://community.rapid7.com/community/metasploit/blog/2015/...
February 25, 2015: https://msisac.cisecurity.org/advisories/2015/2015-018.cfm
March 1, 2015: https://www.mozilla.org/en-US/security/advisories/mfsa2015-3...
April 22, 2015: https://msisac.cisecurity.org/advisories/2015/2015-046.cfm
May 12, 2015: https://www.mozilla.org/en-US/security/advisories/mfsa2015-5...
Hackers search for remote code execution exploits in Flash first and foremost because they know a successful Flash exploit will reach the highest number of targets (90% or more on the desktop) whereas only 44% of desktop machines are running Chrome and 15% are running Firefox.
Hackers seeking out and exploiting RCE bugs in Firefox is unheard of for the same reason malware targeting Macs has been virtually unheard of over the past decade: It's not that OS X is more secure; it's simply that Windows is a more lucrative target.
Source for this complete and utter FUD? Certainly not the links you gave:
Jan 11, 2015: Originally reported to Mozilla as a low-severity DoS, which turned out to be already patched in trunk Jan 13, 2015: Firefox 35.0 shipped with patch
It's hard to get dates out of the others because the bugs are still hidden, but the "fixed in" is often a security fix update after a release, which means it can't possibly have been > 6 weeks.
That's misusing statistics, you can't determine how secure something is by just summing up the number of vulnerabilities - equally weighing/comparing browsers with a plugin etc.
By the way, Apple's opinion on Flash in 2010:
Third, there’s reliability, security and performance. Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.
Source: https://www.apple.com/hotnews/thoughts-on-flash/
So just counting high severity vulnerabilities, the chart is
IE: 314. IE with Flash: 483.
Chrome: 154: Chrome with Flash: 323.
Firefox: 86. Firefox with Flash: 255.
And of course, you can add a third column for Java and a fourth column for browser with Flash and Java.
I have no idea what their bugs-per-line-of-code are, perhaps they have the finest code on the planet. But from a surface area perspective, installing Flash makes you more vulnerable, period. And it really is not necessary, whereas it’s not like you can browse the web in pure Flash and not install a browser.
So does turning on Javascript. Yet the popular opinion these days is that disabling Javascript makes you a luddite. Mozilla even hid the option for it in Firefox.
JavaScript enabled by default is already bad enough. We don't need Flash, Java, ActiveX or anything similar turned on by default. So it's a good move from security viewpoint. Less attack surface.
Also, getting rid of the constant update dialogs and crapware installed with Flash will improve the overall user experience.
Granted most of it might be bad programming, but I still think he comes from here rather than exploits.
This leak was the best thing that happened to the web.
Flash game enthusiasts would probably disagree, but most of us can probably do without it given the risk.
Deleted Comment
(A quick Google search shows they used to use it for the network graph but it is now Canvas.)
Deleted Comment
Anger towards browser developers or HTML5 is misplaced; you should be angry with Adobe for the fact that Flash is buggy, insecure, and closed-source.
The sooner Adobe abandons the dead horse, the better for all of us. Kevin has gone away for years now, and Adobe's force is not based on Flash anymore (disclaimer: I own Adobe stock)
https://support.mozilla.org/en-US/kb/set-adobe-flash-click-p...
I feel your pain. The university site I'm working on has flash protein visualizations. We're finally moving visualizations to js. We'll get there, but with flash being kinda turned off, users will have to turn it back on manually or our pages won't work till rid of flash.
And calling it unsafe, well, that's the truth.
On a side note Firefox without Flash is so much smoother. IMHO it is the fastest and most stable browser when it doesn't have Flash bogging it down.
5 to 7 years ago I would have said the same thing, I hated Flash with a passion. But now, when it's almost gone for good, I see that it had its reasons. For example the new Google Street View is many times slower and lags so much as to give me motion sickness (when it's not blocking my browser) compared to the previous version, which was Flash-based, and which used to work like a charm.
I think the terribleness of recent Google web front-ends (not only Maps and Street View but also Search, Mail, Groups, Gplus, etc.) is mostly a product of incompetent management process internal to Google, rather than an indictment of web technology generally.
I don't have much problems with Firefox, it seems to work smooth. May be it's Google's fault?
I posted a similar comment about it the other day: [0]
Personally I would like to see HTTP Live Streaming (HLS) [1] implemented in the all the browsers, it's a nice lightweight protocol and would be the path of least resistance since it's already used heavily in the mobile space.
[0] - https://news.ycombinator.com/item?id=9874338
[1] - https://tools.ietf.org/html/draft-pantos-http-live-streaming...
For everything else however (like pre-recorded video, games via WebGL), Flash should be phased out.
That is primarily because of the flash ads being dumped. An ad/flash/js blocker achieves much the same and then some by further reducing the latency to collect everything needed to render.
I've heard Facebook video and last.fm streaming don't work without Flash for eg.
Regarding Facebook video, I fail to see how that is a bad thing ;)
Interestingly, Google Chrome recently moved in the opposite direction, and removed support for having Flash off by default and activating with a single click. Instead, they consider Flash to be "important plug-in content". While they allow you to have it off by default, rather than "click to play", they now require that you right click then pull down to "run this plugin" each time you want to activate: https://productforums.google.com/forum/#!topic/chrome/xPcpRB...
I presume this is because they want to discourage people from having Flash off by default, since this would mean they would miss too many Flash ads. I took this as an opportunity to try out some different browsers, and found that Opera met my needs slightly better than Firefox. If you are looking for an alternative to Firefox or Chrome, or just want to see what's out there, you might want to check it out too: http://www.opera.com/
ps. As an example of the new Google interface strategy, to show all the responses on the Google Chrome Help Forum link above rather than being forced to click on each one, you can press the 'o' key some random number of times until they appear: https://productforums.google.com/forum/#!topic/gec-answers-f...
See https://groups.google.com/forum/#!topic/mozilla.dev.platform...
Flash isn't super relevant anymore anyway, the main thing it's used for on my computer is Flash tracking cookies, and I can do without those. I do wonder how some of the tracking and retargeting companies will deal with the decline of Flash though. We asked a partner to stop using Flash for tracking, their response was that it's the best way to doing user tracking. Hopefully they'll change their mind soon.
After all that you have to download a DMG, close all your applications and reinstall from scratch. Why not just build in an auto-update in the background and be done with it...
Many old sites will stop working (my first site was done in flash) as well as many games that are still heavily played today by millions of people. Also flash IDE provides a good introduction to programming for self-taught kids these days: many of them still do their first code in flash after clicking on "that strange icon next to photoshop".
Overall this is a good example of prolonged trusting a binary blob. IMO we will always tend to do what is more comfortable and we should strive for openness and transparency in the tools that most people rely for everyday.
The problem persists as long as there are people installing the plugin or "enabling" it.
We need a real open-source alternative to flash player.
We quietly built the alternative to Flash over the last 10 years. It's called the web.
A standard document in the web browser can play audio, video, display vector graphics, utilise OpenGL, supports direct drawing via Canvas, and it is deeply scriptable with a mature, open programming language.
What else do you need?
I need all of those things to look exactly the same in each and every browser, instead of corrupted icons or broken navigation because the developer tested it in Chrome for Windows but neglected, say, Iceweasel for Debian.
I have yet to find a non-flash game capable of doing that. And if the alternative is "we should discard this closed binary that works in every platform in favor of this free-but-browser-dependant stack", I find that odd.
* Adaptive bit rate video streaming (recorded or live)
Nice to have but not required:
* Full H.264/AAC support across all browser.
Unfortunately Flash is the only viable solution for the above right now.
(Github project pages have a flash application to handle this)
The 'Web' can't play video or audio, the 'Web' needs plug-ins to do so. Plug-ins like H264 decoders and Flash.
Flash components were really interesting, and made it easier for non-programmers, or designers to manipulate a user-friendly "API" of sorts within Flash. This was very powerful. Hugely underrated and conventionality forgotten by the Flash-haters.